 |
|
Dec 15, 2009, 12:24 PM // 12:24
|
#141 |
|
Jungle Guide
Join Date: Jun 2008
Location: Australia, what you want my home address?
Guild: [CAT]
Profession: Mo/
|
Those are all prevention methods, not recovery methods, with the exception of the deleted character staying on the server for a week, which is a bit of both.
Preventing account sensitive actions, flagging valuables so they can't be traded/sold/dropped etc... 100% Prevention, 0% Recovery. Unless recovery means something other than recovery? I thought Recovery was "Compromised account restorations " getting your stuff back after it's been lost/deleted/stolen... you know, Recovering it. Maybe it's some weird terminology that I'm not familiar with, in regards to MMOs. |
|
|
|
Dec 15, 2009, 01:26 PM // 13:26
|
#142 |
|
Banned
Join Date: Sep 2009
|
I notice this morning that the GW login screen now has the "strong passwords" warning in bright red.
1. I don't remember that as being one of the options or suggestions in this poll. 2. I really hope they don't expect to get away with "There; we did something. The Warning is red. Now shut up and buy our stuff" |
|
|
|
|
Dec 15, 2009, 01:41 PM // 13:41
|
#143 |
|
Desert Nomad
Join Date: Aug 2005
Guild: DVDF(Forums)
Profession: Me/N
|
It's common knowledge that red text is a sure fire way to scare hackers away. That's the why the words 'Access Denied' is always in red in the movies.
|
|
|
|
|
Dec 15, 2009, 02:06 PM // 14:06
|
#144 |
|
Banned
Join Date: Sep 2009
|
LOL -
The problem with GW security is it seems the only people who ever see the "access denied" message are the true account holders after thier account has been hacked. |
|
|
|
|
Dec 15, 2009, 02:07 PM // 14:07
|
#145 |
|
Desert Nomad
Join Date: Sep 2007
Location: New Zealand
Guild: CoA
Profession: N/
|
Account Security Solutions: Update Warning to Red Text.
Can close thread now guys its all sorted. |
|
|
|
|
Dec 15, 2009, 02:13 PM // 14:13
|
#146 | |
|
Grotto Attendant
Join Date: Mar 2006
Location: Done.
Guild: [JUNK]
|
Quote:
But on a serious note, I talked to 4 people in the last few days about the security issues. All guys that play quite a lot. NONE of them was aware of the issue. I think we, the users, REALLY need to be more aggressive about spreading the word about these issues. Because this seems to be the only thing we can currently do. So is anyone up for creating a security thread - something that will contain all the information we have about this issue in one place? So that there is going to one definitive thread, that we can tell folks to read where one has all the info on what one should be doing and what one SHOULDN'T be doing in one place? |
|
|
|
|
|
Dec 15, 2009, 02:27 PM // 14:27
|
#147 |
|
Furnace Stoker
Join Date: Jan 2008
Profession: Mo/
|
I LOL'd at the login screen now in red letters telling people to change their passwords regularly. As detailed on many threads now, the ncsoft website possibly, and the whole plaync account thing is horribly flawed and most likely the place where the hackers are gaining access to the accounts. So the people at GW just created a whole lot of new suckers who will change their password often at the plaync site and give the hackers some fresh meat. Yes, most will use the main login screen to change passwords regularly, but a certain percentage will be fed to the hackers through the ncsoft site. Just in time for Christmas.
|
|
|
|
|
Dec 15, 2009, 06:17 PM // 18:17
|
#148 |
|
Forge Runner
Join Date: Apr 2008
Location: Canada
Profession: E/
|
The addition of a usable Login Name in place of the current username (your email account) would also be greatly appreciated...
|
|
|
|
|
Dec 15, 2009, 10:22 PM // 22:22
|
#149 |
|
Krytan Explorer
Join Date: Sep 2007
|
Yeah, I'm testing something out.
I changed my GW password to something like this: WoR9~`38&|$@~+!wWlo08$='qGV572H+; Uppercase, Lowercase, a bunch of other non-number/alpha number and see if I my account still get hack. If it does, than ANET is wrong about using hard password. |
|
|
|
|
Dec 15, 2009, 10:38 PM // 22:38
|
#150 |
|
ArenaNet
Join Date: Apr 2008
Profession: Me/
|
Thank you for posting this poll. I have already forwarded this to the executive team. Please be assured that this issue is a top priority for us. The support team continues to investigate and monitor the issue, and take care of support requests, while relaying important data to the development team. The development team has been actively involved in developing solutions, but for security reasons, we can't go into the details of what those steps entail because it could compromise everything if that information was posted in public and the account thieves got a hold of it. This is of the utmost importance to us. There are a number of precautions you can take to try and protect your account, detailed here. Also please see this post which contains updated information from our support team.
__________________
Regina Buenaobra Community Manager ArenaNet, Inc. |
|
|
|
|
Dec 15, 2009, 10:46 PM // 22:46
|
#151 | |
|
Furnace Stoker
Join Date: Oct 2005
Location: Planet Earth, Sol system, Milky Way galaxy
Guild: [ban]
Profession: W/
|
Increasing password complexity at the game log in screen is meaningless if the NCSoft Master Account which controls linked accounts lacks the same or better password complexity or security precautions.
Quote:
See, if I just flip that around, I could also say more than 50% of breached accounts did in fact have an NCMA according to the data you have just presented. Last edited by MisterB; Dec 15, 2009 at 10:51 PM // 22:51.. |
|
|
|
|
|
Dec 15, 2009, 10:52 PM // 22:52
|
#152 | |||
|
Krytan Explorer
Join Date: Mar 2008
Location: England
Profession: Me/
|
Quote:
I understand you can't say much if anything, but please, can you at least say whether or not anything is going to change with regard to the NCsoft end of it (EG requiring existing password before it's allowed to be changed!), or will the changes be on the ANet/GW side? I'd like to know for the sake of both my Aion and my GW accounts. EDIT: Quote:
Last edited by Smarty; Dec 15, 2009 at 10:58 PM // 22:58.. |
|||
|
|
|
|
Dec 15, 2009, 11:00 PM // 23:00
|
#153 | |
|
Lion's Arch Merchant
Join Date: Dec 2008
Guild: Funny Business Inc [FBI]
|
Quote:
|
|
|
|
|
|
Dec 15, 2009, 11:04 PM // 23:04
|
#154 | |
|
Older Than God (1)
Join Date: Aug 2006
Guild: Clan Dethryche [dth]
|
Following Regina's link:
Quote:
We know that PEBCAKs are a significant security problem. Not all PEBCAKs will have an NCSoft Master Account. It follows that there will be (many) account thefts where the user does not have an NCSoft Master Account. The existence of PEBCAKs without an NCSoft Master Account does not disprove the thesis that accounts are being stolen using the NCSoft Master Account. Attempting to use this evidence to back the assertion that NCSoft Master Accounts are secure is either wrongheaded or intellectually dishonest. If you are looking for a single variable to tie all of the account thefts together, you will never find it. Similarly, you cannot discard any variable simply because it does not tie all of the account thefts together. Accounts are almost certainly being stolen by multiple pathways. You are unlikely to resolve this problem until you come to grips with the fact that the NCSoft Master Account is a probable pathway. I'm not asking you to come out and admit that such accounts are the security vulnerability. I'm asking you to either fix the apparent vulnerabilities directly, or make some changes to the GW client and password reset mechanism that protect players in the event of unauthorized access to an NCSoft Master Account. EDIT: Just so it's clear what I'm talking about, you can do the following on the NCSoft website: - Generate a valid list of usernames via automated attack (the site responds differently when you input a false username) - Verify when you got one of the two security answers correct for resetting a password (site tells you) - Crack the preponderance of valid accounts protected by the older birthday password reset mechanism in a matter of months by automated attack - Attempt to input a password for a valid account as many times as you like Once you gain unauthorized access, the NCSoft account displays the login username for the game account, and you can reset the game account password without any further information. These aren't the only concerns. Others more qualified than I have commented on more efficient schemes for cracking the site than brute force, and there have been a decent number of reports of account thefts immediately following accessing the NCSoft Master Account. I'm not going to weigh in on those issues here; in the former case I don't know enough to evaluate claims, and in the latter it is difficult to discard the keylogger hypothesis. Last edited by Martin Alvito; Dec 16, 2009 at 02:21 AM // 02:21.. |
|
|
|
|
|
Dec 16, 2009, 01:21 AM // 01:21
|
#155 | |
|
Desert Nomad
Join Date: Apr 2006
Profession: R/
|
Quote:
How about you listen to the results of the poll. It's pretty obvious what is needed. |
|
|
|
|
|
Dec 16, 2009, 01:43 AM // 01:43
|
#156 | |
|
Lion's Arch Merchant
Join Date: Apr 2005
|
Quote:
I think that the failure is in their belief that these are *the only ways* that you can get hacked. Maybe they get it, though, and that they know that there are other vulnerabilities. They may not be able to say anything, or to help maintain their image, they know that they can't say anything about other vulnerabilities. It's not like they are going to point fingers at NCsoft, that's for sure! Last edited by Grunntar; Dec 16, 2009 at 01:45 AM // 01:45.. |
|
|
|
|
|
Dec 16, 2009, 01:55 AM // 01:55
|
#157 |
|
Furnace Stoker
Join Date: Jan 2008
Profession: Mo/
|
Maybe I enjoy politician speak and corporate press release speak too much, but when I read Reginas comments I interpret parts of it as follows:
1) "The support team continues to investigate and monitor the issue, and take care of support requests, while relaying important data to the development team." My interpretation: this is at a very early stage and may or may not turn into a project. 2) "The development team has been actively involved in developing solutions, but for security reasons, we can't go into the details of what those steps entail..." My interpretation: Cover our a-- and make it sound like we are doing something, but dont say anything specific, stay generic, that can be interpreted any way people want. Koolaid drinkers who believe will thank us for doing something even if we havent done a thing! Note they have "developed" solutions. This is very different from "implementing." Also, developed solutions to what problem? This next part below gives me little hope. Then I read Gaile saying: ".... nearly half did not have an NCMA at all. I hope that this information puts your mind at ease on any perceived "risk factor" regarding whether a game account is tied to an NCMA or not, for that truly does not seem to be an element in the current situation." She gave us half of the relevant data by telling us more than 50% of hacked accounts had an NCMA, now break that majority down for us and tell us how many were accessed through the NCMA vs. GW Client. The fact that we were given no relevant data is confirmation to me that there is no solution in the works as they do not think that the passwords being changed through the master account is a problem. All of that adds up to me thinking as I am reading this: "Omg, there aint nothing happening for a longggg time because this has just gone into corporate speak, C.Y.A. mode, with a dash of denial." Hopefully I am just a paranoid schitzophrenic with some conspiracy theory delusions, but I dread logging on more and more each day cuz I know someone is out to get me and I do not think anyone in GW corporate-land is out to save us. Last edited by Tramp; Dec 16, 2009 at 02:06 AM // 02:06.. |
|
|
|
|
Dec 16, 2009, 05:04 AM // 05:04
|
#158 |
|
Desert Nomad
Join Date: Dec 2006
|
Rudimentary, common security practices that should be implemented immediately:
1) PlayNC accounts should not be capable of changing Guild Wars passwords without email verification from the user requesting the change. It's inconceivable that email verification for password changes hasn't been implemented, and it would have prevented the vast majority of hacking incidents reported in the hacked accounts thread. It certainly would have prevented mine. 2) IP checking. This is, again, so obvious it's appalling that it wasn't implemented from the outset. It's one thing for my account to be access and my password changed by, say, someone from the same state. It's another thing entirely for security to be so lax on PlayNC accounts that the system fails to notice that a Chinese IP its never seen before is changing my GW password. There's really no excuse for these two not being implemented right now, for GW1. It's a bit more work, but we really also need: 3) Game accounts should be locked immediately (and automatically) upon receipt of a security breach report from the email account registered to the account. If I notice within 5 minutes of my account being violated that someone is in there that shouldn't be, I should be able to stop any further changes and kick the bastard out. I should have to wait six DAYS for support to get around to helping me, by which time I've been totally cleaned out. For Guild Wars 2: 4) Account restoration is an absolute must-have feature. As a hacking victim myself I won't even consider buying Guild Wars 2 without it, because it's obvious that Anet/NCsoft can't perfectly secure our accounts, even if they took the above three steps, which leads me to my final request: 5) NCsoft and Anet need to TAKE SOME RESPONSIBILITY. This business of blaming the problem on forum security, on other games, on users, on anything and everything but NCsoft's own lax security practices just broadcasts the game and its players as good targets to hackers. Are some hacks a result of these things? Of course. Are all of them? Of course not. For both, a few simple security fixes could largely mitigate the danger, and the implementation of account restorations for Guild Wars 2 could make players feel genuinely secure, but none of that is ever going to happen as long as the company line is that everything is someone else's fault. I had a fun run with Guild Wars, it's a genuinely great game. I'm saddened that I'll never be able to go back and enjoy the game again without the spectre of losing everything I work for hanging over my head. The reality is I'll never become invested in the game again because I know how easy it is to lose everything, and I've seen how disinterested support is in my concerns. I'd like to buy and play Guild Wars 2, but without at least the changes I list above there's simply no way I can. If my GW2 account can be cracked via PlayNC as easily as my GW1 account was, there's no point in my purchasing or playing on a GW2 account in the first place. |
|
|
|
|
Dec 16, 2009, 05:05 AM // 05:05
|
#159 |
|
Forge Runner
Join Date: Jan 2007
|
http://wiki.guildwars.com/wiki/User_...ot_a_QQ_thread.
Read what Gaile just said, yesterday. "You will soon be hearing about this matter." I look forward to what has to be announced. |
|
|
|
|
Dec 16, 2009, 05:14 AM // 05:14
|
#160 | |
|
Ascalonian Squire
Join Date: Mar 2006
|
What in the world is this:
Quote:
|
|
|
|
|
 |
|
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT. The time now is 10:41 AM // 10:41.
jQuery(document).ready(checkAds()); function checkAds(){if (document.getElementById('adsense')!=undefined){document.write("_gaq.push(['_trackEvent', 'Adblock', 'Unblocked', 'false',,true]);");}else{document.write("